diff -Nru ruby1.9.1-1.9.3.0/debian/changelog ruby1.9.1-1.9.3.0/debian/changelog --- ruby1.9.1-1.9.3.0/debian/changelog 2013-07-08 17:04:41.000000000 +0000 +++ ruby1.9.1-1.9.3.0/debian/changelog 2013-11-26 17:54:03.000000000 +0000 @@ -1,3 +1,17 @@ +ruby1.9.1 (1.9.3.0-1ubuntu2.8) precise-security; urgency=low + + * SECURITY UPDATE: safe level restriction bypass via DL and Fiddle + - debian/patches/CVE-2013-2065.patch: perform taint checking in + ext/dl/lib/dl/func.rb, ext/fiddle/function.c. + - CVE-2013-2065 + * SECURITY UPDATE: denial of service and possible code execution via + heap overflow in floating point parsing. + - debian/patches/CVE-2013-4164.patch: check lengths in util.c, added + test to test/ruby/test_float.rb. + - CVE-2013-4164 + + -- Marc Deslauriers Tue, 26 Nov 2013 12:54:01 -0500 + ruby1.9.1 (1.9.3.0-1ubuntu2.7) precise-security; urgency=low * SECURITY UPDATE: incorrect ssl hostname verification diff -Nru ruby1.9.1-1.9.3.0/debian/patches/CVE-2013-2065.patch ruby1.9.1-1.9.3.0/debian/patches/CVE-2013-2065.patch --- ruby1.9.1-1.9.3.0/debian/patches/CVE-2013-2065.patch 1970-01-01 00:00:00.000000000 +0000 +++ ruby1.9.1-1.9.3.0/debian/patches/CVE-2013-2065.patch 2013-11-26 17:54:19.000000000 +0000 @@ -0,0 +1,37 @@ +Description: fix safe level restriction bypass via DL and Fiddle +Origin: upstream, http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=40732 + +Index: ruby1.9.1-1.9.3.194/ext/dl/lib/dl/func.rb +=================================================================== +--- ruby1.9.1-1.9.3.194.orig/ext/dl/lib/dl/func.rb 2010-06-25 15:43:15.000000000 -0400 ++++ ruby1.9.1-1.9.3.194/ext/dl/lib/dl/func.rb 2013-11-26 11:33:08.377890767 -0500 +@@ -55,6 +55,9 @@ + super + else + funcs = [] ++ if $SAFE >= 1 && args.any? { |x| x.tainted? } ++ raise SecurityError, "tainted parameter not allowed" ++ end + _args = wrap_args(args, @stack.types, funcs, &block) + r = @cfunc.call(@stack.pack(_args)) + funcs.each{|f| f.unbind_at_call()} +Index: ruby1.9.1-1.9.3.194/ext/fiddle/function.c +=================================================================== +--- ruby1.9.1-1.9.3.194.orig/ext/fiddle/function.c 2011-08-15 20:51:58.000000000 -0400 ++++ ruby1.9.1-1.9.3.194/ext/fiddle/function.c 2013-11-26 11:33:12.265890867 -0500 +@@ -101,6 +101,15 @@ + + TypedData_Get_Struct(self, ffi_cif, &function_data_type, cif); + ++ if (rb_safe_level() >= 1) { ++ for (i = 0; i < argc; i++) { ++ VALUE src = argv[i]; ++ if (OBJ_TAINTED(src)) { ++ rb_raise(rb_eSecurityError, "tainted parameter not allowed"); ++ } ++ } ++ } ++ + values = xcalloc((size_t)argc + 1, (size_t)sizeof(void *)); + generic_args = xcalloc((size_t)argc, (size_t)sizeof(fiddle_generic)); + diff -Nru ruby1.9.1-1.9.3.0/debian/patches/CVE-2013-4164.patch ruby1.9.1-1.9.3.0/debian/patches/CVE-2013-4164.patch --- ruby1.9.1-1.9.3.0/debian/patches/CVE-2013-4164.patch 1970-01-01 00:00:00.000000000 +0000 +++ ruby1.9.1-1.9.3.0/debian/patches/CVE-2013-4164.patch 2013-11-26 17:54:27.000000000 +0000 @@ -0,0 +1,80 @@ +Description: fix denial of service and possible code execution via + heap overflow in floating point parsing +Origin: upstream, http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43776 +Origin: upstream, http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=43782 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=730178 + +Index: ruby1.9.1-1.9.3.0/test/ruby/test_float.rb +=================================================================== +--- ruby1.9.1-1.9.3.0.orig/test/ruby/test_float.rb 2013-11-26 12:54:25.138015637 -0500 ++++ ruby1.9.1-1.9.3.0/test/ruby/test_float.rb 2013-11-26 12:54:25.130015636 -0500 +@@ -494,4 +494,16 @@ + sleep(0.1+0.1+0.1+0.1+0.1+0.1+0.1+0.1+0.1+0.1) + end + end ++ ++ def test_long_string ++ assert_normal_exit(<<-'end;') ++ assert_in_epsilon(10.0, ("1."+"1"*300000).to_f*9) ++ end; ++ end ++ ++ def test_long_string ++ assert_normal_exit(<<-'end;') ++ assert_in_epsilon(10.0, ("1."+"1"*300000).to_f*9) ++ end; ++ end + end +Index: ruby1.9.1-1.9.3.0/util.c +=================================================================== +--- ruby1.9.1-1.9.3.0.orig/util.c 2013-11-26 12:54:25.138015637 -0500 ++++ ruby1.9.1-1.9.3.0/util.c 2013-11-26 12:54:25.134015636 -0500 +@@ -852,6 +852,11 @@ + #else + #define MALLOC malloc + #endif ++#ifdef FREE ++extern void FREE(void*); ++#else ++#define FREE free ++#endif + + #ifndef Omit_Private_Memory + #ifndef PRIVATE_MEM +@@ -1142,7 +1147,7 @@ + #endif + + ACQUIRE_DTOA_LOCK(0); +- if ((rv = freelist[k]) != 0) { ++ if (k <= Kmax && (rv = freelist[k]) != 0) { + freelist[k] = rv->next; + } + else { +@@ -1152,7 +1157,7 @@ + #else + len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1) + /sizeof(double); +- if (pmem_next - private_mem + len <= PRIVATE_mem) { ++ if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) { + rv = (Bigint*)pmem_next; + pmem_next += len; + } +@@ -1171,6 +1176,10 @@ + Bfree(Bigint *v) + { + if (v) { ++ if (v->k > Kmax) { ++ FREE(v); ++ return; ++ } + ACQUIRE_DTOA_LOCK(0); + v->next = freelist[v->k]; + freelist[v->k] = v; +@@ -2231,6 +2240,7 @@ + for (; c >= '0' && c <= '9'; c = *++s) { + have_dig: + nz++; ++ if (nf > DBL_DIG * 4) continue; + if (c -= '0') { + nf += nz; + for (i = 1; i < nz; i++) diff -Nru ruby1.9.1-1.9.3.0/debian/patches/series ruby1.9.1-1.9.3.0/debian/patches/series --- ruby1.9.1-1.9.3.0/debian/patches/series 2013-07-08 17:04:33.000000000 +0000 +++ ruby1.9.1-1.9.3.0/debian/patches/series 2013-11-26 17:54:23.000000000 +0000 @@ -22,3 +22,5 @@ CVE-2013-0269.patch CVE-2013-1821.patch CVE-2013-4073.patch +CVE-2013-2065.patch +CVE-2013-4164.patch